Fortnite Flaw Could Have Exposed Players to Account Takeovers

By
Michael Kan17 Jan 2019, 8:24 a.m.

The hack itself targets people who've signed into the game through third-party services such as Facebook, Google, or Nintendo by stealing the special access token used to sign into the popular online game.

A major security flaw in the hit game Fortnite could've allowed a hacker to take over someone's account.

On Tuesday, security firm Check Point demonstrated how you could exploit a series of vulnerabilities within the game to pull off the hack. All the victim needed to do was click an internet link that was secretly rigged to tamper with Fortnite's login process.

The attack itself targeted people who signed into the game through their third-party accounts at Facebook, Google, or gaming providers such as Microsoft, Nintendo, and Sony. The hack didn't try to steal your password, but the special access token the third-party exchanges with Fortnite to let you log in.

Normally, the authentication token is sent to Fortnite over the back-end. The same login method also removes the need for you to remember a password to access the game.

Unfortunately, authentication tokens can be stolen if the system isn't secure. This was demonstrated last year when Facebook reported a major hack involving pilfered tokens taken from 30 million user accounts.

In Fortnite's case, Check Point noticed that several flaws in the game's online infrastructure made it possible to intercept the tokens as a player signed in. The security firm's researcher successfully pulled this off against a Fortnite account created on Facebook.

"All a victim needs to do is click on the malicious phishing link the attacker sends them," Check Point said. "To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits." In addition, the hacker could post the link on a Fortnite forum or social media post to gain even more exposure.

Taking over someone's Fortnite account could let you learn personal details about the player, including the partial payment card number tied to the account. You could also make in-game purchases and rack up charges on the same payment card.

The good news is that Fortnite's developer, Epic Games, fixed the problems. But the research is a reminder to be careful around shady internet links.

"We thank Check Point for bringing this to our attention," Epic Games told PCMag in a statement. "As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."